Your COVID-19 HIPAA Guide: Navigating Telehealth, Compliance Changes, and a Remote Workforce

As we come to grips with our new reality during the Coronavirus, the healthcare industry has begun to adapt to its new role. Accessing patients during a time of “social distancing” can be challenging, but we are armed with the tech and the innovation to accommodate these unprecedented times.

With that being the case, medical and dental practices have been forced to change with this rapidly evolving situation. Accessing patient data, consultations, and patient disclosures may not be in compliance with the previous HIPAA guidelines but will be expanded for the purposes of this public health emergency.

Administration Eases the Restrictions on HIPAA

The Health and Human Services Office for Civil Rights (OCR) announced on Tuesday (March 17, 2020) that during the Coronavirus pandemic it will use discretion when enforcing HIPAA-compliance for communications tools.

During a White House Press Conference on Tuesday, Seema Verma, administrator of the Centers for Medicare and Medicaid Services said, “We are doing a dramatic expansion of what’s known as telehealth for our 62 million Medicare beneficiaries, who are amongst the most vulnerable to the coronavirus.”

Given the seriousness of the spread of this virus and the desire to keep as many Americans quarantined as possible, live audio and video telehealth options will now be included as acceptable forms of healthcare under the strict HIPAA regulations.

During this time of public health emergency, the OCR, the privacy watchdog group of the Health and Human Services Administration, will not impose penalties on providers who use non-HIPAA-compliant remote communications technology. This is a critical component of keeping the most vulnerable from being required to be seen in-person at a doctor’s office during this pandemic.

What Does This Mean for You or Your Practice?

For the average American, this means that a few things may change in regard to your access to healthcare. In order to keep you a safe distance from other patients, especially patients that may be exhibiting symptoms of COVID-19, you may find the following changes:

• Doctors and other medical personnel will not face OCR penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
• Patients may be able to conference either via live audio or video telehealth methods directly with a doctor.
• Doctors may be able to use their smartphones to “meet” with patients as needed.
• Medical providers will continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.
• Medical professionals will be able to access patients using video chat applications but are asked to avoid public-facing applications such as Facebook, Tik-Tok, and Twitch to safeguard patient confidentiality.

Given these unprecedented times, it is still important for patients who have issues unrelated to the Coronavirus to maintain good health. Here are a few resources and videos to help you understand these complex issues health care providers are facing.

Frequently Asked Questions

Under the HIPAA Privacy Rule, during an outbreak of an infectious disease or other emergency situation, covered entities may disclose, without a patient’s authorization PHI for the following purposes including treatment, public health activities, friends and family involved in an individuals care, and to prevent a serious and imminent threat. For most disclosures, you must make reasonable efforts to limit the information disclosed to what is the “minimum necessary”. For more information please see the sharing section of HHS HIPAA and Novel Coronavirus bulletin.

During this national public health emergency, the Office for Civil Rights (OCR) has created a good faith provision in the HITECH law to allow health providers to use technologies that may not fully comply with the requirements of the HIPAA rules. The OCR will exercise its enforcement discretion and will not impose penalties for noncompliance. For example, you may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype without a Business Associates Agreement (BAA). However, the only restriction is the video applications cannot be public-facing such as Facebook Live, Twitch, and TikTok. Health providers are encouraged to seek additional privacy protections for telehealth through technology vendors that are HIPAA compliant such as GoToMeeting, Skype for Business, and Zoom for Healthcare.

Due to the very nature of the healthcare industry, most workers find the idea of working from home foreign and this can be a challenge for both the organization and the employee. First and foremost it’s important to make sure that there is a signed employee confidentiality agreement. In addition, we recommend drafting a work-from-home agreement to set the expectations of productivity, physical workspace, and security hygiene to establish a HIPAA compliant environment.

• Keep a record of any property the employee takes home including type, make, model, serial number, and condition.
• Outline a list of duties and productivity expectations, for an employee that has never worked from home, especially during these times, it’s easy to lose track of what tasks they should be completing while working from home.
• We recommend that employees establish a workspace in a distraction-free area of their home. This is also important for patient privacy whether it be during telehealth visits, phone calls, or recording notes on a patient’s chart.
• As they would in the workplace, it’s important for employees to face their computer screen away from high trafficked areas and keep their devices locked when not in use. If physical documents were taken out of the workplace keep them locked in a secure location when not in use.
• It’s important that employees don’t feel isolated. Therefore, we recommend establishing team calls or implementing a collaboration tool such as Slack which will allow employees to keep in touch in real-time.

There are lots of options when it comes to remote access. Our recommendation would be Splashtop or LogMeIn Pro. Both solutions are affordable and can be quickly deployed. The setup process is fairly simple, after signing up for the service you install a lightweight application on your work computer. Once installed you can connect securely to your work computer via any supported device such as a laptop, desktop, tablet, or mobile phone. The remote connection will allow you to access all of your work applications and files just like you were sitting at your desk.

We always recommend that work applications should only be accessed from company-owned and managed devices for both compliance and security reasons. However, under the current circumstances, we acknowledge this may not be possible. In the interim, if needed it is acceptable for an employee to use their personal device to connect to a cloud-hosted application. However, we do not recommend using VPN from a personal device as it can create unnecessary security risks. For the long term, we recommend using a remote access solution or looking for hosted solutions to securely store your servers, desktops, and data in the cloud which can be accessed securely from a personal device.

While we are not insurance experts we have done our best to compile a few resources that you may find helpful.

• What is Teledentistry? Teledentistry is a means of delivering patient care and oral health education to people at a remote location or coordinating care providers in the service of patient care. Learn more about D9995 & D9996 coding for Teledentistry…
• What is Telehealth? Telehealth is a collection of means or methods for enhancing health care, public health, and health education delivery and support using telecommunications technologies. Learn more about CPT 99201 & 99215 coding for Telehealth…

In light of various bugs being announced with the video-teleconference (VTC), provider Zoom we recommend businesses including health care companies seek more secure solutions such as GoToMeeting, Skype for Business and Google Meet.

The FBI has released a notice outlining various steps that should be taken to make sure that your telehealth session is protected no matter what VTC platform you use.

• Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
• Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
• Ensure VTC software is up to date. See Understanding Patches and Software Updates.

Recommended Resources

• https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
• https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

Resource Center

Bulletins

• Download the OCR bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies
• View guidance on BAAs, including sample BAA provisions
• Additional information about HIPAA Security Rule safeguards
• View HealthIT.gov for guidelines and  technical assistance on telehealth
• Download the CDC Coronavirus fact sheet

Tools

• Telehealth
  • GoToMeeting
  • Skype for Business
  • Google Meet aka Hangouts
• Collaborate
  • Slack
  • MS Teams
  • Google Chat
• Electronic Signature
  • DocuSign
• Password Management
  • LastPass

Blogs

• Keeping Electronic Medical Records (EMR) and Electronic Health Records (EHR) Safe
• Coronavirus Phishing and Hacking Scams on the Rise
• What is the Most Common Cause of Data Breaches?
• Top HIPAA Violations
• Protecting Your Business from Phishing Scams
• Top 5 Most Common HIPAA Compliance Issues

Documents

• 25 Free Tools for Remote Employees

Whether You Have Questions or Need Assistance Were Here For You